Security zone: Cultivating the secure mindset for systems development

In speaking at the inaugural IT Decisions conference held in Birmingham last month, I asked delegates to consider how we can tackle the issue of software security with better decision making and what would be required to make this possible, writes Alessandro Moretti, executive director and head of risk central services at UBS.

In speaking at the inaugural IT Decisions conference held in Birmingham last month, I asked delegates to consider how we can tackle the issue of software security with better decision making and what would be required to make this possible, writes Alessandro Moretti, executive director and head of risk central services at UBS. While it is recognised that vulnerability to fraud is often a product of insecurity in the software behind the products and services we consume, few realise that the reason it is insecure comes down to two non-technical elements: people and processes.

Download this free guide

Infographic: How to future-proof UK technology

There is no doubt that the technology industry is booming right now, bringing with it exciting social and economic opportunities. However, there is a real fear that the UK industry may be stunted due to the lack of talent available. This e-guide helps to break down the future fears and expectations of dozens of business leaders and tech workers.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

This shouldn't come as a surprise. The people involved in the software development lifecycle have been equipped to make decisions focused on other priorities; generally making it more human for the user or more cost-effective for the business. Their decision-making capabilities have developed over many years and become engrained to the point where they don't have to actively think about many aspects. It has provided the foundation for well-established processes in the development sector today.

An analogy can be made with the capability we all have to efficiently tackle the task of the weekly shop. We probably make 50-60 decisions every time we make our way through the local supermarket, but they tend to come naturally with the required decision-making capability engrained.

Back to school to learn a new priority

Introducing a new priority - in this case security - into the development process is akin to asking the experienced to return to school. They need to develop an added risk perspective for almost every decision that is being made, if security is to become part of the development mindset and come naturally. Part of the requirement is knowledge and a number of organisations, including two in which I am actively involved, OWASP and (ISC)2 , have made a significant effort to document and develop education programmes using best practice. This is creating a well-maintained repository of current and very specific knowledge. The next challenge is to instil appreciation for this knowledge and the value of risk assessment as a core, even defining skill for this sector. The development community as a whole must be able to take qualified, decisive action based on the right knowledge and added risk scenario for their decision.

This is no insignificant task, particularly when you consider the macro trends in the sector. Many organisations, both end-users and suppliers, are outsourcing parts of their development to many other organisations. Ironically this could contribute to the development of an active assessment process. Everyone is going to have to get more involved in supplier assessments and in demonstrating what they are doing in this area. This will lead to more demand for certification of both the people and the processes. In addition to the knowledge base, models are emerging for measuring the maturity of the security within an organisation's development lifecycle, providing a framework for improvement.

The development community are in the early stages of a new competency that I believe will effect significant change in the sector. On the people side, it is accepted that once you go through the process of certifying enough staff in a new competency, the organisation experiences an operational benefit as decisions become risk-based and effective. Clearly this results in informed influence over process change, and the inherent competencies that are behind every decision that is taken.

Alessandro Moretti, CISSP, CSSLP, is executive director UBS, head of risk central services and is a member of the (ISC)2 European Advisory Board.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy